Posts with «hid» label

MalDuino is an Arduino-powered USB device which emulates a keyboard and has keystroke injection capabilities. It’s still in crowdfunding stage, but has already been fully backed, so we anticipate full production soon. In essence, it implements BadUSB attacks much like the widely known, having appeared on Mr. Robot, USB Rubber Ducky.

It’s like an advanced version of HID tricks to drop malicious files which we previously reported. Once plugged in, MalDuino acts as a keyboard, executing previous configured key sequences at very fast speeds. This is mostly used by IT security professionals to hack into local computers, just by plugging in the unsuspicious USB ‘Pen’.

[Seytonic], the maker of MalDuino, says its objective is it to be a cheaper, fully open source alternative with the big advantage that it can be programmed straight from the Arduino IDE. It’s based on ATmega32u4 like the Arduino Leonardo and will come in two flavors, Lite and Elite. The Lite is quite small and it will fit into almost any generic USB case. There is a single switch used to enable/disable the device for programming.

The Elite version is where it gets exciting. In addition to the MicroSD slot that will be used to store scripts, there is an onboard set of dip switches that can be used to select the script to run. Since the whole platform is open sourced and based on Arduino, the MicroSD slot and dip switches are entirely modular, nothing is hardcoded, you can use them for whatever you want. The most skilled wielders of BadUSB attacks have shown feats like setting up a fake wired network connection that allows all web traffic to be siphoned off to an outside server. This should be possible with the microcontroller used here although not native to the MalDuino’s default firmware.

For most users, typical feature hacks might include repurposing the dip switches to modify the settings for a particular script. Instead of storing just scripts on the MicroSD card you could store word lists on it for use in password cracking. It will be interesting to see what people will come up with and the scripts they create since there is a lot of space to tinker and enhanced it. That’s the greatness of open source.

The software for KeyMouSerial copies keystroke and mouse information and sends this out via a serial port on his laptop (using a USB to serial adapter). From there the information is translated by an Arduino into HID commands which are sent via USB to the target computer, in this case a Raspberry Pi. It’s a pretty elegant solution to carrying a bulky keyboard and mouse along just for a Raspberry Pi, or for any computer that might not have access to a network and SSH.

[Peter] has also been working on using his iPod as a serial-to-USB converter, so if you’re a Rockbox developer and want to help out then drop him a line. All of the software is available (for Windows, Mac, or Linux) including the Arduino sketch if you want to try this software out for yourself. And, if you don’t want to turn a computer into a keyboard and want to go the other direction and turn a keyboard into a computer, that is also an option.

[Nikhil] has been experimenting with human interface devices (HID) in relation to security. We’ve seen in the past how HID can be exploited using inexpensive equipment. [Nikhil] has built his own simple device to drop malicious files onto target computers using HID technology.

The system runs on a Teensy 3.0. The Teensy is like a very small version of Arduino that has built-in functionality for emulating human interface devices, such as keyboards. This means that you can trick a computer into believing the Teensy is a keyboard. The computer will treat it as such, and the Teensy can enter keystrokes into the computer as though it were a human typing them. You can see how this might be a security problem.

[Nikhil’s] device uses a very simple trick to install files on a target machine. It simply opens up Powershell and runs a one-liner command. Generally, this commend will create a file based on input received from a web site controlled by the attacker. The script might download a trojan virus, or it might create a shortcut on the user’s desktop which will run a malicious script. The device can also create hot keys that will run a specific script every time the user presses that key.

Protecting from this type off attack can be difficult. Your primary option would be to strictly control USB devices, but this can be difficult to manage, especially in large organizations. Web filtering would also help in this specific case, since the attack relies on downloading files from the web. Your best bet might be to train users to not plug in any old USB device they find lying around. Regardless of the methodology, it’s important to know that this stuff is out there in the wild.

Cheap keyboards never come with extra buttons, and for [Pengu MC] this was simply unacceptable. Rather than go out and buy a nice keyboard, a microcontroller was found in the parts drawer and put to work building this USB multimedia button human interface device that has the added bonus of looking like an old-school Walkman.

The functions that [Pengu MC] wants don’t require their own drivers. All of the buttons on this device are part of the USB standard for keyboards: reverse, forward, play/pause, and volume. This simplifies the software side quite a bit, but [Pengu MC] still wrote his own HID descriptors, tied all of the buttons to the microcontroller, and put it in a custom-printed enclosure.

If you’re looking to build your own similar device, the Arduino Leonardo, Micro, or Due have this functionality built in, since the USB controller is integrated on the chip with everything else. Some of the older Arduinos can be programmed to do the same thing as well! And, with any of these projects, you can emulate any keypress that is available, not just the multimedia buttons.

The newly released Arduino Leonardo has a few very interesting features, most notably the ability to act as a USB keyboard and mouse thanks to the new ATmega 32U4 microcontroller. This feature isn’t exclusive to the Leonoardo, as [Michael] explains in a build he sent in – the lowly Arduino Uno can also serve as a USB HID keyboard with just a firmware update.

The Arduino Uno (and Mega) communicate to your computer through a separate ATmega8U2 microcontroller. Simply by uploading new firmware with the Arduino Device Firmware Upgrade, it’s easy to have your old Arduino board gain some of the features of newer boards such as the Teensy or Leonardo.

[Michael] goes through the steps required to make this upgrade work and ends his build by showing off an Arduinofied ‘cut, copy and paste’ button project as well as a few multimedia controls. You can check those builds out in the video after the break.

If emulating a USB keyboard isn’t your thing, it’s also possible to install LUFA firmware to emulate everything from joysticks to USB audio devices. Very cool, and very useful.

One of the exciting new features of the Arduino Leonardo is its ability to act as a USB human interface device like a keyboard or mouse. This can make interfacing hardware projects with third-party software much easier. For example, if you want to build a physical button to go backwards in your web browsing history, you can have the Arduino send your browser’s keyboard command for back each time you hit the button. But if you have an Arduino Uno, you’re not out of luck.

Michael Mitchell recently shared his tutorial on how to use DFU Programmer to update the firmware on the Atmega8U2, which, according to the Arduino documentation, “acts as a bridge between the computer’s USB port and the main processor’s serial port” on the Uno. Michael also points out that you’ll need to make a slight hardware modification to the board if you have the DIP version of the Uno board—SMD Uno owners can keep their soldering irons holstered for this one. Michael demos his tutorial with a volume controller for his Ubuntu box and naturally he offers all the code you need to make your own.

We had a small stock of Arduino Leonardos in the Maker Shed for their announcement at Maker Faire but they sold nearly as fast as we could put them out. We finally got them back in stock so you can buy one right now in the Maker Shed (while they last!)

At first glance, the Arduino Leonardo looks just like an SMD version of the Arduino Uno with a micro USB port. It’s blue, has the same foot print, same pin-out, and the same layout as its brother. The internals are also very similar. It features nearly the same RAM, flash, and clock speed as the ATmega328 processor found in the Uno. So why is the Leonardo different? Because it uses the ATmega32u4. This processor has built in USB communication which eliminates the need for a secondary USB to serial converter. The ATmega32u4 creates a virtual (CDC) COM port on your computer every time it runs its bootloader. Since it’s virtual, it can also behave like an HID (Human Interface Device) meaning the Leonardo can “act” like a keyboard or mouse, opening it up to a whole new range of projects. This processor also has additional I/O capabilities, allowing pins 4, 6, 8, 9, 10, and 12 to be used as analog inputs (12 total vs. the UNO’s 6). In addition, the Leonardo has one additional PWM pin (13) and all 20 I/O pins can be used as digital pins.

Of course, this new functionality doesn’t come without a price (although the price is only $20!) Since the Leonardo uses a virtual COM port, it can make certain tasks a bit more complicated (see the Getting Started Guide.) For this reason, we recommend this board to makers with some Arduino experience. Also, some of the pin assignments are slightly different so while the Leonardo is compatible with most shields, it may not be compatible with all. Advanced shields that use I2C or SPI (such as Ethernet shields) will work so long as they were updated to match the new Arduino Uno layout that was released last year. For full shield compatibility and ease of use, see the tried and true Arduino Uno.